Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #46035

Re: Python Magazine

References (5 earlier) <51a0caac$0$30002$c3e8da3$5496439d@news.astraweb.com> <roy-3B8F45.11301825052013@news.panix.com> <7cd17be8-d455-4db8-b8d0-ccc757db5cff@googlegroups.com> <roy-3B69E7.21544325052013@news.panix.com> <8f19e20c-4f77-43dc-a732-4169e482d2b2@googlegroups.com>
Date 2013-05-26 13:45 +1000
Subject Re: Python Magazine
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.2157.1369539932.3114.python-list@python.org> (permalink)

Show all headers | View raw

On Sun, May 26, 2013 at 1:04 PM, John Ladasky
<john_ladasky@sbcglobal.net> wrote:
> A perfectly fair point, Roy.  It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do.  So, my mind leaped to the possibility of uninvited connections.
>
> Related question: would denial-of-service attacks be more pernicious without a NAT?

Not sure what you mean. If we assume that network topology doesn't
change, then what we have is a single uplink (say, an ADSL connection,
given that most home users don't have luxuries) going to a router
(let's be generous here and say that's a Linux box with two NICs, and
you have a smart admin in charge of it), behind which is a set of
switches and computers making up a LAN of peers. On IPv4, the LAN
would operate on one of the RFC 1918 address blocks - say, 192.168.0.x
- and all external communication would be through one single IP
address - 203.0.113.47 will do for the purposes of discussion.

As far as other hosts on the internet are concerned, that entire
network is one single host, with address 203.0.113.47. It's unaware of
the three computers 192.168.0.4, .0.87, and .0.92; they merge into
one. This means they share the 65536 ports, they share entries on
blacklists, etc, etc.

With IPv6, that ADSL connection would come with a /64 block - say,
2001:db8:142:857::/64. Within that block, each computer would be
assigned a single address - perhaps 2001:db8:142:857::4,
2001:db8:142:857::87, and 2001:db8:142:857::92, or perhaps they'd be
assigned them by their MAC addresses eg
2001:db8:142:857:200:5eff:fe00:531a, which can be done automatically.
Now all your computers (including the router) are individually
addressable; they can be identified separately, or treated as a group
(the /64 representing the whole group). Their ports, blacklist
entries, etc, are all unique. This means you can run three servers on
port 80, etc.

The question now is: What sort of DOS attack are you fearing? If it's
a simple matter of saturating the connection, it makes absolutely no
difference. As Roy said, that's just a question of overloading. If I
command more bandwidth than you do, I can saturate you. Easy. (Very
easy if I have a botnet, for instance.) Harder to judge are the
amplifying attacks; a half-open-connection attack, for instance,
attacks a TCP server's RAM allocation. It's possible that some attacks
will be easier or harder with NAT than without, but you'd have to
evaluate a specific attack technique.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:19 -0700
  Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-24 23:35 -0400
    Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:38 -0700
    Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 13:48 +1000
      Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 21:11 -0700
      Re: Python Magazine zoom <zoom@yahoo.com> - 2013-05-25 08:38 +0200
        Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 16:41 +1000
          Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-25 14:29 +0000
            Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 11:30 -0400
              Re: Python Magazine John Ladasky <john_ladasky@sbcglobal.net> - 2013-05-25 18:28 -0700
                Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 21:54 -0400
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 11:58 +1000
                Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-26 04:03 +0000
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 14:37 +1000
                Re: Python Magazine John Ladasky <john_ladasky@sbcglobal.net> - 2013-05-25 20:04 -0700
                Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 23:24 -0400
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 13:45 +1000
                RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-26 07:01 +0300
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 14:31 +1000
                RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-26 08:00 +0300
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 15:17 +1000
                Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-31 04:11 -0700
                RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-06-01 11:15 +0300
                Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 00:37 -0700
                RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-06-05 15:20 +0300
                Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 09:17 -0700
                Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-06-06 03:52 +1000
                Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-06-05 22:01 -0700
                Re: Python Magazine Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-05-26 04:20 +0100
                Re: Python Magazine Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-26 03:50 +0000
                Re: Python Magazine 88888 Dihedral <dihedral88888@gmail.com> - 2013-06-01 08:08 -0700
  Re: Python Magazine Mark Janssen <dreamingforward@gmail.com> - 2013-05-24 20:38 -0700
    Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 20:41 -0700
  RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 06:43 +0300
    Re: Python Magazine DRJ Reddy <rama29065@gmail.com> - 2013-05-24 21:10 -0700
      RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 07:22 +0300
      Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-25 14:25 +1000
        Re: Python Magazine Roy Smith <roy@panix.com> - 2013-05-25 11:24 -0400
          Re: Python Magazine Chris Angelico <rosuav@gmail.com> - 2013-05-26 01:30 +1000
          RE: Python Magazine Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-25 20:28 +0300
  Re: Python Magazine Michael Poeltl <michael.poeltl@univie.ac.at> - 2013-05-25 07:29 +0200
  Re: Python Magazine Daniel <danielrr2@gmail.com> - 2013-05-25 16:56 +0200

csiph-web